web architecture 253...principles of security defense-in-depth defense in depth is a straightforward...
TRANSCRIPT
![Page 1: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/1.jpg)
Web Architecture 253
Web Architecture 253
Web Architecture 253Privacy & Security
![Page 2: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/2.jpg)
columbia universityschool of engineering and applied science
bs in computer science1999
who's this guy?
![Page 3: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/3.jpg)
13+ yearswriting software and managing engineers
who's this guy?
![Page 4: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/4.jpg)
4 months zynga
who's this guy?
We all make mistakes
![Page 5: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/5.jpg)
ivan leichtlingengineering manager for
yelp's security team
who's this guy?
![Page 6: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/6.jpg)
what are we up to
● why security matters● what's worth protecting● principles of security● common exploits● security resources
![Page 7: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/7.jpg)
why security matters
impact to business continuity
![Page 8: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/8.jpg)
why security matters
impact to business continuity
![Page 9: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/9.jpg)
why security matters
focus on securityto ensure
business continuity
![Page 10: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/10.jpg)
why security matters
impact to finances
![Page 11: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/11.jpg)
why security matters
impact to finances
![Page 12: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/12.jpg)
why security matters
focus on securityto protect
your finances
![Page 13: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/13.jpg)
why security matters
impact to your users
![Page 14: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/14.jpg)
why security matters
impact to your users
![Page 15: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/15.jpg)
why security matters
focus on securityto protect and maintain
your users
![Page 16: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/16.jpg)
what are we up to
● why security matters● what's worth protecting● principles of security● common exploits● security resources
![Page 17: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/17.jpg)
what's worth protecting
the first step in being a hacker is deciding what's worth stealing
the first step in security is decidingwhat's worth protecting
![Page 18: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/18.jpg)
what's worth protecting
when you try to figure out what to protectask yourself the question
if i stole this, what could i do with it?
![Page 19: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/19.jpg)
what's worth protecting
if i stole this, what could i do with it?
![Page 20: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/20.jpg)
what's worth protecting
if i stole this, what could i do with it?
![Page 21: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/21.jpg)
what's worth protecting
if i stole this, what could i do with it?
![Page 22: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/22.jpg)
what's worth protecting
if i stole this, what could i do with it?
![Page 23: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/23.jpg)
what's worth protecting
if i stole this, what could i do with it?
![Page 24: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/24.jpg)
what are we up to
● why security matters● what's worth protecting● principles of security● common exploits● security resources
![Page 25: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/25.jpg)
principles of security
![Page 26: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/26.jpg)
principles of security
defense-in-depth
![Page 27: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/27.jpg)
principles of security
defense-in-depth
![Page 28: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/28.jpg)
principles of security
defense-in-depth
the principle of defense-in-depth is that layered security mechanisms increase security of the systems as a whole. if an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system
![Page 29: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/29.jpg)
principles of security
defense-in-depth
defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive mechanism protecting you has been destroyed. now you must protect yourself. for example, if you expect a firewall to protect you, build the system as though the firewall has been compromised.
![Page 30: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/30.jpg)
principles of security
least privilege
![Page 31: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/31.jpg)
principles of security
least privilege
![Page 32: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/32.jpg)
principles of security
least privilege
a user or website must only be able to access information and resources necessary for its legitimate purpose
if bob in sales can't access credit card numbers, then the cards are safe if bob's password is stolen
![Page 33: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/33.jpg)
principles of securityattack surface reduction
![Page 34: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/34.jpg)
principles of securityattack surface reduction
every feature of a website is a potential surface a hacker can try to attack.
the basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilege levels as much as possible, and eliminate services requested by relatively few users.
![Page 35: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/35.jpg)
principles of securitycryptography is hard
![Page 36: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/36.jpg)
principles of securitycryptography is hard
![Page 37: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/37.jpg)
principles of securitycryptography is hard
● proper use of crypto is hard to do right● experts frequently apply crypto
incorrectly● never write your own crypto● there's a lot of snake oil out there
![Page 38: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/38.jpg)
what are we up to
● why security matters● what's worth protecting● principles of security● common exploits● security resources
![Page 39: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/39.jpg)
common exploits
SQL injection
Structure Query Language is the command set generally used to get data out of a database.
SELECT * FROM product_table WHERE type='fruit'
databaseSQL
result
![Page 40: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/40.jpg)
common exploits
SQL injection
"SELECT * FROM" + request['table'] + "WHERE type=" + request['type']
result
database has 2 tables
![Page 41: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/41.jpg)
common exploits
SQL injection
"SELECT * FROM" + request['table'] + "WHERE type=" + request['type']
result
database has 2 tables
![Page 42: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/42.jpg)
common exploits
SQL injection
SQL injection is an exploit where a SQL query is built using input from the user. the attacker sends specific input that causes the website to show, edit, or destroy unintended information in the database.
![Page 43: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/43.jpg)
common exploits
protecting against SQL injection
● never write raw SQL in your web code instead use a library for accessing the database that explicitly protects against SQL injection
● libraries make use of things like prepared statements and query escaping
● use active proxy tools like rat proxy or burp proxy to test for SQL injection on your site
● apply defense-in-depth
![Page 44: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/44.jpg)
common exploits
XSS - cross site scripting
<title>search for stuff</title><body> <h1>searching for {{ term }}</h1> <ul> {% for result in search_results %} <li><a href=" {{ results.url }}">{{ result.name }}</a></li> {% endfor %} </ul></body>
![Page 45: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/45.jpg)
common exploits
XSS - cross site scripting
<title>search for stuff</title><body> <h1>searching for {{ term }}</h1> <ul> {% for result in search_results %} <li><a href=" {{ results.url }}">{{ result.name }}</a></li> {% endfor %} </ul></body>
![Page 46: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/46.jpg)
common exploits
XSS - cross site scripting
<title>search for stuff</title><body> <h1>searching for <script>alert('hacked')</script> </h1> <ul> </ul></body>
![Page 47: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/47.jpg)
common exploits
XSS - cross site scripting
XSS is an exploit where a page displays user input. the attacker sends specific input that causes the website to unintentionally run malicious javascript.● reflected XSS - user input is echoed back
right away● stored XSS - user input is stored in a
database and then shown on a different page
![Page 48: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/48.jpg)
common exploits
protecting against XSS
html allows for special characters like < or > to be represented with an escape sequence. the escape sequence can't trick a browser into running a <script> tag where one wasn't intended.● always validate input as soon as it is
received● always escape output before sending to the
user
character escape sequence
< <
> >
" "
& &
![Page 49: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/49.jpg)
common exploits
protecting against XSS
● html template systems like jinja2 or django provide automatic escaping on output
● use active proxy tools like rat proxy or burp proxy to test for XSS on your site
● apply the principle of defense-in-depth: check input on the client with javascript, check input again on the server, then check output
![Page 50: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/50.jpg)
common exploits
protecting against XSS
<title>search for stuff</title><body> <h1>searching for {{ html_escape(term) }}</h1> <ul> {% for result in search_results %} <li><a href=" {{ results.url }}">{{ result.name }}</a></li> {% endfor %} </ul></body>
![Page 51: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/51.jpg)
common exploits
protecting against XSS
<title>search for stuff</title><body> <h1>searching for <script>alert('hacked')</script></h1> <ul> </ul></body>
![Page 52: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/52.jpg)
common exploits
man-in-the-middle
when pages show sensitive data but don't use https, then an attacker can spy on the sensitive data. this spying is called man-in-the-middle.
![Page 53: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/53.jpg)
common exploits
protecting against man-in-the-middle
● design your site to only transmit sensitive data over https. adding https late makes design hard
● never mix https and http images, scripts, or other resources on the same page
● make sure your SSL certificate is valid● apply the principle of attack surface
reduction. the less sensitive data you show, the better
![Page 54: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/54.jpg)
common exploits
CSRF - cross site referral forgery
<title>learn more about ivan.com</title><body> <h1>ivan is really interesting</h1> <a href="https://www.gmail.com/delete_all"> click here to learn more!! </a></body>
whoa! unexpected!
![Page 55: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/55.jpg)
common exploits
CSRF - cross site referral forgery
<title>see my awesome photo</title><body> <h1>photos are neat</h1> <img src="https://www.gmail.com/delete_all"> see a pretty photo!!</body>
that's no image!
![Page 56: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/56.jpg)
common exploits
CSRF - cross site referral forgery
CSRF forces a user to visit a page for which he/she is already authenticated. the user ends up execute actions of the attacker's choosing. a successful CSRF exploit can compromise end user data and operation in case of normal user. attacks targeting an administrator account, can compromise an entire site.
![Page 57: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/57.jpg)
common exploits
protecting against CSRF
● require that sensitive actions use an http POST - a form - rather than a GET - a simple link
● use a framework like django or jinja which has built in CSRF protection for form POST○ forms include a hidden field with a secret value that
has to be submitted with the form○ CSRF tokens are tied to a specific user and
pageview○ attackers can not guess what magic token should go
with a specific
![Page 58: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/58.jpg)
common exploits
protecting against CSRF
<form method="post" action="/delete_all"> <input type="hidden" name="csrf_token" value="jBGh345Tls98" /> <input type="submit" value="delete your mail" /></form>
![Page 59: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/59.jpg)
common exploits
social engineering
social engineering is manipulating people into divulging confidential information like passwords, private website addresses, information on how data is stored, etc.
there are few technical solutions to social engineering but user education, policies, and good use of security principles help mitigate.
![Page 60: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/60.jpg)
what are we up to
● why security matters● what's worth protecting● principles of security● common exploits● security resources
![Page 61: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/61.jpg)
security resources
OWASPOpen Web Application Security Project
https://www.owasp.org
tons more information on all these topics
![Page 62: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/62.jpg)
security resources
CWECommon Weakness Enumeration
http://cwe.mitre.org
tons more information on all these topics
![Page 63: Web Architecture 253...principles of security defense-in-depth defense in depth is a straightforward principle: imagine your application in the last component standing and every defensive](https://reader035.vdocuments.mx/reader035/viewer/2022071411/6106f4882f333815ab21619d/html5/thumbnails/63.jpg)
security resources
reddit/r/netsec
http://www.reddit.com/r/netsec
topical discussion among professionalsand wannabees